The Nomad token bridge hack on August 3 was the fourth largest crypto hack in history which saw nearly $200 million in crypto assets drained from the platform. However, more than the hack, the underlying methodology has received wide attention.
The exploit took place due to a smart contract vulnerability that also involved hundreds of users other than the hacker, removing as much as they could by simply copy-pasting the transaction data used by the hacker initial and changing the wallet address to their own. . The event was later considered a decentralized robbery by many due to the involvement of normal community members.
Later the Nomad team revealed to Cointelegraph that some of the people who took funds were acting benevolently to keep the crypto from falling into the wrong hands.
In the aftermath of the hack, crypto analytics group BestBrokers discovered that the first exploit took place on August 1, which drained 400 Bitcoin (BTC) in four different transactions. The hackers then hijacked the 22,880 Ether (ETH), then grew to over $107 million worth of stablecoins and eventually began hijacking project-backed altcoins.
The incident saw WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (AID), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens taken from the deck.
Related: Ongoing Solana-based wallet hack sees millions drained
Some stolen altcoins on the platform suffered a 94% drop. Data collected by the analytics firm showed that the following altcoins suffered the biggest crash after the hack:
The smart contract vulnerability that was exploited was highlighted in a security audit report conducted by Quantstamp in the first week of June. The Nomad team even responded to the vulnerability by saying that it was “effectively impossible to find the empty sheet preimage”.
Auditors estimated that the Nomad team misunderstood the issue at the time, and within two months the same vulnerability was responsible for nearly $200 million in losses.
Cointelegraph has contacted Nomad with questions related to the discovery and will update the story accordingly.